Vermont recently enacted two privacy bills to regulate health-related information. These include H.639, a genetic privacy bill regulating direct-to-consumer genetic testing companies, and the Vermont Data Privacy and Online Surveillance Act (S.71), a comprehensive privacy law that extends heightened protections to “consumer health data.” You can read our full analysis of S.71 here.

Genetic Privacy

H.639 regulates the activities of direct-to-consumer genetic testing companies and their service providers. The bill defines a direct-to-consumer genetic testing company as an entity that (i) “sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers,” (ii) “analyzes genetic data obtained from a consumer, except to the extent the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition,” or (iii) “collects, uses, maintains, or discloses” genetic data that is “collected or derived from a direct-to-consumer genetic testing product or service” or “directly provided by a consumer.”

H.639 contains several exemptions, including for (i) de-identified data; (ii) data or samples “collected, used, maintained, and disclosed” (a) exclusively for scientific research conducted by an institution that holds an assurance with HHS pursuant to 45 C.F.R. Part 46 or (b) in compliance with applicable human subject research regulations; (iii) information and entities subject to HIPAA; (iv) scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with HHS pursuant to 45 C.F.R. Part 46 to the extent such research activities comply with applicable human subject research regulations; and (v) tests conducted “exclusively” to diagnose whether an individual has a specific disease “to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as protected health information subject to HIPAA.”

We previously analyzed the substantive obligations in the introduced version of H.639 here. While the majority of these substantive obligations are contained in the enacted version of the bill, the enacted law does contain several changes, including:

  • Consent Obligations. The introduced version required separate consent for “each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses.” The enacted law removes the phrase “and inherent contextual uses,” requiring consent for each use beyond the primary purpose of the genetic testing or service.
  • Consent Revocation Mechanism. The introduced version required companies to provide “effective mechanisms, without any unnecessary steps” for a consumer to revoke consent, “at least one of which utilizes the primary medium through which the company communicates to the consumer.” The enacted law revises this standard, requiring companies to provide a revocation mechanism that is “at least as easy as the mechanism by which the consumer provided the consent.”
  • Third-Party Deletion. The enacted law adds a new subsection requiring that, upon a consumer’s request to delete genetic data or destroy a biological sample, the company must notify any third parties to delete or destroy the consumer’s data no later than 30 days after the consumer makes the request. Additionally, the enacted law adds a new requirement that when a contract between a direct-to-consumer genetic testing company and a service provider terminates, the service provider must (i) immediately destroy all genetic data retained during the contractual period, and (ii) not disclose, transfer, or sell genetic data to a third party before it destroys the data.
  • Nondisclosure Protections. The enacted law expands on the nondisclosure provision included in the introduced version, which prohibited disclosure to entities responsible for insurance or employment decisions, by prohibiting disclosure of “any information about a consumer to a government entity, including the consumer’s genetic data or name” unless (i) a search warrant is issued by a court on a finding of probable cause, or (ii) the consumer provides express consent upon being notified by the company.

H.639 will take effect July 1, 2026. A violation of H.639 constitutes an unfair and deceptive act under Vermont’s Consumer Protection Act, enforceable by the Attorney General. Consumers may also bring civil actions for violations; however, prior to initiating a civil action, a consumer must notify the direct-to-consumer genetic testing company of the alleged violation, which the company has 30 days to cure. The cure period expires June 30, 2028.

Health-Related Provisions in S.71

With S.71, Vermont became the fifth state to enact provisions to regulate consumer health data, which are incorporated into its broader comprehensive privacy law. Although S.71 largely follows the approach taken in Connecticut and Maryland with respect to consumer health data, it includes several Vermont-specific variations.

S.71 defines “consumer health data” as any personal data that a controller uses to identify a consumer’s physical or mental health condition, diagnosis, or status, including gender-affirming health data and reproductive or sexual health data. The law imposes several restrictions on the collection and use of consumer health data. Specifically, a person may not:

  • Provide any employee or contractor with consumer health data unless the employee or contractor is subject to a duty of confidentiality;
  • Provide any processor with consumer health data, unless the processor complies with the obligations of the law;
  • Use a geofence that is within 1,850 feet of any health care facility, including a mental health facility or reproductive or sexual health facility, for the purpose of identifying, tracking, collecting data from, or sending any notification to a consumer regarding the consumer’s consumer health data; or
  • Sell or offer to sell consumer health data without obtaining the consumer’s consent.

S.71’s consumer health data requirements apply to any person that conducts business in Vermont or produces products or services that are targeted to Vermonters without regard to the processing-volume thresholds that govern the law’s other requirements.

S.71 also includes provisions addressing biometric and neural data, making Vermont the fifth state to enact provisions regulating neural data, following Montana, Colorado, California, and Connecticut. The law defines biometric data to include “vein patterns” and “gait or personally identifying physical movement or patterns” in addition to other, more common biometric identifiers, such as face geometry, retina scans, and fingerprints. The law defines “neural data” as any information that is generated by measuring the activity of an individual’s central nervous system. S.71 includes both biometric and neural data within the definition of “sensitive information,” subjecting these categories of data (among others) to heightened obligations under the law. S.71 expressly excludes biometric data from the definition of “publicly available information.”

S.71 will take effect January 1, 2028. S.71 is enforceable exclusively by the Vermont Attorney General.

Tags: Genetic Privacy, Health Privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Chambers USA 2025 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie CanterEmail
Show more Show less
Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.

Read more about Elizabeth BrimEmail
Show more Show less
Photo of Clare Mathias Clare Mathias

Clare Mathias is an associate in the firm’s Boston office. She is a member of the Data Privacy and Cybersecurity Practice Group and the Health Care Practice Group.

Clare advises clients on a wide range of privacy and health care issues, including compliance…

Clare Mathias is an associate in the firm’s Boston office. She is a member of the Data Privacy and Cybersecurity Practice Group and the Health Care Practice Group.

Clare advises clients on a wide range of privacy and health care issues, including compliance with federal health care regulations and U.S. state and federal privacy laws.

Clare also maintains an active pro-bono practice.

Email
Show more Show less